Alan Orth
10cbf75c27
An attack on Triple DES was recently published[0]. It's not a very high severity attack but the fact is that Triple DES is very old and there are much better ciphers to use, like AES and ChaCha20. I logged the ciphers that were negotiated on all of my vhosts over a period of 72 hours and there were zero occurences of Triple DES, so I am removing it, as suggested by the authors of the attack as well as OpenSSL[1]. [0] https://sweet32.info [1] https://www.openssl.org/blog/blog/2016/08/24/sweet32/
7 lines
658 B
Plaintext
7 lines
658 B
Plaintext
---
|
|
# file: group_vars/all
|
|
|
|
tls_cipher_suite: "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"
|
|
|
|
# vim: set ts=2 sw=2:
|